Free security tools to help you learn

Lots of people trying to make headway in the infosec world. Many go after certs but lack real-world experience. I decided to make a post listing out free infosec tools that inexperienced people may want to start learning to help them land a job that actually requires them to know something. Most (if not all) of these tools have website or youtube walk-throughs and are all free in some fashion. They’re roughly listed out by topical areas. I also did this off the top of my head from memory, so I’m sure I missed good ones – please leave comments with any additional thoughts and I’ll edit my post to include any other tools you suggest in the below. I’ve put asterisks in front of the ones that are “big” and will take awhile to learn

PowerShell basics (lots of tools written in PS now, so it’s good to know the basics, plus MS is phasing out cmd.exe in favor of PS)

Python basics (some people would also say Ruby – many tools also written in Python, so it’s good to know the basics in case you need to fix something)

putty

Wireshark

tcpdump

nmap

netcat

opendns (helps learn the why & how of web gateways, sort of)

***splunk (will take a lot of time to learn, but very popular, lots of high paying splunk jobs. At least learn the basics)

Nessus vulnerability scanner

Nipper (aka nessus for network devices)

Nikto (aka nessus for websites)

***Snort or Bro (or both, they’re similar so it’s easy to pick one up after the other – also a very big project to learn, but at least learn the basics)

Recon-ng (or Maltego, but free version is limited)

meterpreter

Veil-Framework

Mimikatz

Spiderlabs responder

Powersploit

BloodHoundAD’s Bloodhound

EmpireProject’s Empire

Dafthack’s mailsniper

***Metasploit (includes many of the above tools, many of which are duplicative of each other)

Some people say to use Kali Linux, but it’s basically just a weak Linux distro with tools (including some of the above) built in. I’d steer you towards a real, maintained Linux distro which you can then use trustedsec’s PenTesters Framework (PTF) to load all your tools on.

Dafthack’s domainpasswordspray (very easy and lots of fun if you've got AD at work – time to start doing password audits…..)

John the Ripper or Hashcat (password cracking – fun to do with your Windows/Active Directory passwords)

clr2of8’s Domain Password Audit Tool (DPAT) – tool to report out the stats of various cracked password dumps (cracked via the tools above - good support for implementing that 20+ character passphrase policy you didn't know you needed until you ran the last three tools)

THC Hydra (brute force guessing of password login pages/consoles/etc)

Ettercap or bettercap – network attacks

Yersinia – network attacks

***OWASP ZAP or Burp Suite – web attacks

BeEF – web attacks

Sqlmap – web attacks

Google Santa (not the holiday version) – whitelisting for OSX (if you have a Mac – I’d steer you towards a dedicated [free] Linux distro instead of using a Mac)

Thinkst’s opencanary (lots of various honeypots/canaries out there, this is one to play with)

Keepass – most people in IT don’t securely store their passwords – don’t be that guy (very useful once you're rocking your new & unique 20+ character passphrases for 50 different systems)

Also strongly recommend you find the developers of the above tools and follow them on Twitter. I hate Twitter but have to admit that in terms of keeping up-to-date with new types of tools, Twitter's the best way to follow that kind of stuff.

I would definitely not steer someone clear from Kali Linux. It has a huge list of free tools to use in a controlled system. Is that a substitute for maintaining a full linux box? No, but it's a great place to learn and even use regularly.

Awesome. Thanks. I have used many of those in the past but when I try to lab it seems I see a shiny thing and get distracted...lol. I need a structured guidance to follow through to learn. If I set my own path I tend to stray too much.

Good list, interesting ideas you have though. I am not trying to be a negative nancy here but.....

Dafthack’s domainpasswordspray (very easy and lots of fun if you've got AD at work – time to start doing password audits…..) Ugh do NOT do this on your work environment! You will lock out accounts. Plus...YOU DO NOT TEST or F' WITH PRODUCTION ENVIRONMENT.
Github: DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain. BE VERY CAREFUL NOT TO LOCKOUT ACCOUNTS!

John the Ripper or Hashcat (password cracking – fun to do with your Windows/Active Directory passwords) Highly Illegal in the USA if you plan on doing this at work with users passwords. Quick way for you to get fired or sued.

Please don't take this the hard way or as any criticism. With great power comes great responsibility

The password spray automatically queries AD to determine the lockout threshold then it attempts to stay under that threshold. My red team's been using it since it was released and it stays under the threshold with no issue. The text there is the standard disclaimer of all security tools - buyer bewar, this could break stuff. Always possible there's a problem, but my experience has been 100% positive. Try using it before you knock it.

jtr & hashcat aren't illegal. Everybody's work environment is different, but most mid/large companies (and many small) have disclaimers plastered somewhere that say you don't have any expectation of privacy on anything you do at work & everything you do/use belongs to your employer. This typically means that your work password belongs to your work, not you.

Keep in mind everybody - these are tools meant to help newbies learn how infosec works. this isn't a "tools to start using at your work to defend it and find its weaknesses" post. as with any new person learning the ropes - you should be running these things in a demo/test environment, not on your work computer tied into your work infrastructure. if i caught someone in my company running nmap scans and they weren't on my team, well, let's just stay we'd have a joint meeting with that person & our HR director to talk about acceptable use of work assets!

That's a fair response. I agree AD passwords are part of the company's intellectual property. It is a very thin line of ethics, cracking users password though. As for the password spay, no I have not used it on a production environment. I will take your word for it. Id rather just check the AD settings for lockout threshold But that's depending on your job role/engagement etc.

The password spray automatically queries AD to determine the lockout threshold then it attempts to stay under that threshold. My red team's been using it since it was released and it stays under the threshold with no issue. The text there is the standard disclaimer of all security tools - buyer bewar, this could break stuff. Always possible there's a problem, but my experience has been 100% positive. Try using it before you knock it.

jtr & hashcat aren't illegal. Everybody's work environment is different, but most mid/large companies (and many small) have disclaimers plastered somewhere that say you don't have any expectation of privacy on anything you do at work & everything you do/use belongs to your employer. This typically means that your work password belongs to your work, not you.

Keep in mind everybody - these are tools meant to help newbies learn how infosec works. this isn't a "tools to start using at your work to defend it and find its weaknesses" post. as with any new person learning the ropes - you should be running these things in a demo/test environment, not on your work computer tied into your work infrastructure. if i caught someone in my company running nmap scans and they weren't on my team, well, let's just stay we'd have a joint meeting with that person & our HR director to talk about acceptable use of work assets!

TOTALLY agree.

I have literally seen someone take down a production network after watching a quick youtube video on ARPSPOOFING ..... they had little idea on what was actually going on.

At any rate, you are spot on. Corporate level password audits have proven to be legal for years now. It's sort of a gray area in terms of ethics, but from a legal standpoint, it is what it is.

Fantastic

Android gem of a contribution. Thanks a lot for detailed post. I was looking for this info and it took me over 2 weeks of painful dissection and search.
Only an idiot will try to run such tools in office without getting permission first.

TechExams.Net is not sponsored by, endorsed
by or affiliated with Cisco Systems, Inc. Cisco®, Cisco Systems®,
CCDA™, CCNA™, CCDP™, CCNP™, CCIE™, CCSI™;
the Cisco Systems logo and the CCIE logo are trademarks or registered
trademarks of Cisco Systems, Inc. in the United States and certain other
countries. All other trademarks, including those of Microsoft, CompTIA, Juniper ISC(2),
and CWNP are trademarks of their respective owners.